All Products
Search
Document Center

Virtual Private Cloud:Overview of VPC sharing

Last Updated:Nov 06, 2023

The Virtual Private Cloud (VPC) sharing feature allows multiple Alibaba Cloud accounts to create cloud resources, such as Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, and ApsaraDB RDS instances, in a shared and centrally managed VPC. Shared VPCs adopt the resource sharing mechanism. A VPC owner can share non-default vSwitches in the VPC with one or more Alibaba Cloud accounts.

Features and supported regions

Area

Supported region

Asia Pacific - China

China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), and China (Hong Kong)

Asia Pacific - Others

Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), and India (Mumbai)

Europe & Americas

Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)

Features

A VPC owner (resource owner) can share non-default vSwitches in the VPC with one or more Alibaba Cloud accounts (principals). The principals can create cloud resources in the shared vSwitches. A resource owner can share resources with Alibaba Cloud accounts in the same or different enterprise organization. For more information about Resource Sharing, see Resource Sharing overview.

After a VPC owner shares a vSwitch:

  • If the vSwitch is shared with another Alibaba Cloud account, the principal must accept the invitation to use the shared vSwitch.

  • If the vSwitch is shared within the same resource directory, the principal can directly use the shared vSwitch. The invitation is accepted by default.

  • The principal can create resources only within the shared VPC, and cannot move resources from the shared VPC to another VPC.

  • The principal cannot move resources from a non-shared vSwitch to the shared vSwitch.

  • By default, instances created by the resource owner and principal in the same VPC can communicate with each other within the VPC.

共享VPC简图

Permissions of the resource owner and principals

After a resource owner shares a vSwitch with a principal, the resource owner and principal have the following permissions on the shared vSwitch and the resources in the shared vSwitch:

Role

Supported operation

Unsupported operation

Resource owner

  • Create, view, modify, and delete resources that belong to the resource owner in the shared vSwitch.

  • View the following attributes of ENIs created by the principal in the shared vSwitch:

    • The instance IDs.

    • The private IP addresses.

    • The owner account of resources.

Modify or delete resources created by the principal in the shared vSwitch.

Principal

When a vSwitch is shared with a principal, the principal can create, modify, and delete resources in the shared vSwitch.

If the vSwitch is shared, the principal cannot view, modify, or delete the resources created by other Alibaba Cloud accounts (resource owners and principals) in the shared vSwitch.

If the vSwitch is no longer shared, the principal can view, use, modify, and delete the resources that are created by the principal in the vSwitch.

If the vSwitch is no longer shared, the principal cannot view the resources associated with the vSwitch, such as VPCs, route tables, and network access control lists (ACLs). In addition, the principal cannot create resources in the vSwitch.

The resource owner and principal have the following permissions on other network resources:

Network resource

Resource owner

Principal

VPC

All permissions.

View the VPC to which the shared vSwitch belongs.

vSwitch

All permissions (including enabling and disabling the IPv6 feature for the shared vSwitch)

Note

If the resource owner wants to delete the vSwitch, the vSwitch must not be shared with the principal. In addition, the resources created by the resource owner and principal in the vSwitch must be deleted.

  • View the shared vSwitch.

  • Create, modify, and delete cloud resources in the shared vSwitch.

Route table

All permissions.

View route tables and route entries that are associated with the shared vSwitch.

Network ACL

All permissions.

View network ACLs that are associated with the shared vSwitch.

CIDR block

View the CIDR block of the VPC and CIDR blocks of all vSwitches in the VPC.

View the private CIDR block of the shared vSwitch.

Flow log

  • Create flow logs for a VPC or a vSwitch. The flow logs apply to the ENIs of ECS instances in the vSwitches that belong to the resource owner.

  • Create flow logs for ENIs that belong to the resource owner.

Create flow logs for ENIs that belong to the principal.

NAT gateway

All permissions on Internet NAT gateways and VPC NAT gateways.

Note
  • The resources created by the resource owner and principal in the vSwitch can communicate with the Internet through Internet NAT gateways.

  • Internet NAT gateways can be associated with only the elastic IP addresses (EIPs) that belong to the resource owner.

No permission.

VPN gateway

All permissions.

Note

The resources created by the resource owner and principal in the vSwitch can communicate with external networks through VPN gateways.

No permission.

Cloud Enterprise Network (CEN) instance

All permissions.

Note

The resources created by the resource owner and principal in the vSwitch can communicate with external networks through CEN instances.

No permission.

VPC peering connection

All permissions.

Note

The resources created by the resource owner and principal in the vSwitch can communicate with external networks through VPC peering connections.

No permission.

Tag

Resource sharing does not affect the tags added to resources by the resource owner.

When the vSwitch is shared, the resource owner and resource user can add tags to their own resources. The resource user cannot view the tags added by the resource owner and the resource owner cannot view the tags added by the resource user. The tags added by the resource owner and resource user do not affect each other. When the vSwitch is not shared, the system deletes the tags added by the principal in the vSwitch.

Billing rules

In a shared VPC, principals pay for the instances that they create, such as ECS, SLB, and ApsaraDB RDS instances. However, fees for public bandwidth and gateway resources such as Internet NAT gateways and VPN gateways are paid by the resource owner. For more information about the billing of cloud resources, see relevant topics.

Limits on use

Item

Limit

Adjustable

Maximum number of principals supported by each VPC

50

You can request a quota increase by using one of the following methods:

Maximum number of principals supported by each vSwitch in a VPC

50

Maximum number of vSwitches that can be shared with each principal

30

Maximum number of IP addresses that each VPC can use

Maximum number of IP addresses that the resource owner and principals can use in each VPC

N/A

Types of cloud resources that can be created in a shared vSwitch

  • ECS instances

  • SLB instance

  • ApsaraDB RDS instance

  • Terway component

  • ApsaraDB for MongoDB instance

  • ApsaraDB for Redis instance

  • ApsaraMQ for Kafka instance

  • Elasticsearch

  • Container Registry instance

  • PolarDB for MySQL clusters

  • ApsaraMQ for RocketMQ instance

  • Microservices Engine

N/A

Limits on security groups in a shared VPC

  • A resource principal cannot create resources in security groups that belong to other resource principals or the resource owner. The security groups include the default security group.

  • The resource owner cannot create resources in security groups that belong to resource principals.

Types of vSwitches that can be shared

Non-default vSwitches

Note

Shared VPCs also follow the usage and quota limits of standard VPCs. The quota limits on a shared VPC are not affected by the number of principals.

Enable VPC sharing

For more information, see Enable VPC sharing.